Hi tkteo,

Welcome to Webmaster World [webmasterworld.com].

It just so happens that there is a current thread on usinge-mail forms [webmasterworld.com] that will lead you to other links about encoding e-mail addresses and some ways to make e-mail forms more secure. I'm sure you'll find more than you want to know be reading through those threads.

Jim

I've read the spam prevention tip of using javascript to write the email address into the document, and I think it's a great idea. However, my client has a newsletter with tons of email addresses, and I do not really want to have to do <script... </script> for each email address. They are not one after another either, so I can't just write them all in one script tag.

My solution that I thought of was to have a php script just echo the javascript code out (which would be set to one variable) and just set the email address to a different variable (see below).

It would look something like this:
<?php $email="email@email.com"; echo $jscript;?>

and $jscript would read the $email variable and combine it with the javascript.

Do you think this would work efficently or would I just be wasting my time?

I did the javascript on one page - and it is the only page this email was ever put on.

It did seem to work to some extent - as I don't get as much spam as I do from any other email that has been crawled.

However - I still get spam for it.

I personally would recommend using a graphic that had the email address listed - although this is much less convenient for the user - if you are really concerned about spam.

Once your email address gets on the spam lists it will take at least 6 months for the rubbish to really dry up. However, you'll still get a few for years. Using methods to hide the email address on the site is a good start. Add some product at your end, where you collect and read the email, perhaps something like Mailwasher, to complete to the job.

For multiple email addresses why don't you have an external javascript file that does a document.write of the relevant line of code as a function and pass the email address from the HTML document to that function for writing. In order to stop spiders reading the email address before it is passed it should be passed in chunks.

In the <head> section you will need a:
<script type="text/javascript" src="scrambler.js"><script>

Assuming the function inside the javascript file is called es (short for email scrambler) then where each email address needs to go you just do:
<script type="text/javascript">es("jim,red,smith,com,widgets,director")</script>

which then renders to email the director jim smith and clicking that sends email to jim.smith@red.widgets.com - that is the basics and it does work as I already have a similar script on several sites.

You can write the script part, then it will be different to mine. It defeats the object if millions of people eventually end up with exactly the same script; the email harvesters will just build a detector for that script and then merrily harvest all they can.

Dear Webmasters,

thank you for replying.

As I am new to HTML, I have not yet learnt Javascript.

I came across this webpage that claims to encode email addresses:

http:/*/www.*****.com

Would anyone be able to tell me if their claim is sound?

[edited by: JamesR at 4:32 pm (utc) on June 20, 2003]
[edit reason] sorry, no URL drops per TOS, this one asks for email addys especially [/edit]

All is does is encode each character as an entity. It is a good start but is by no means foolproof. Javascript written links are a lot safer at the moment, and not too difficult to do. There are many examples on the web, and easily modified to suit.

Hmmm. That web site. It might be legitimate, but I am wary of it. I would prefer that it returned the resulting code on screen, then you cut and paste it in. However, I don't know who those guys are, so I'd be wary of typing in an email address, in the first place, just in case that the site is there purely to collect valid email addresses. The site emails you the code, which means that you can't cheat and add an extra character to the email address to fool them, whilst still getting the required code back. However, if it is legitimate, emailing you the code does ensure that you typed the corrrect address in. Aaaarrrgghh. Sticking to javascript.

[edited by: g1smd at 11:29 pm (utc) on June 9, 2003]

g1smd:

searching for "javascript email" on google led me to this page:

www.hiveware.com/enkoder_form.php

Would this work?

Thank you for your help and patience.

[edited by: JamesR at 4:34 pm (utc) on June 20, 2003]
[edit reason] delinked [/edit]

That is another way to do it. That has encoded the characters, added in a load of garbage characters, then made a function to extract and write the address to screen. It is a bit bloated code size, but probably works, and is a bit more high tech than the last one you suggested. However, if millions of people start using the same scripts then the spammers will just add a detector for that one. It is also going away from the direction that my original posts were considering; and I hope the poster who I aimed those comments at (MWpro) gets to read them.

Great post g1smd!

That seems to be much more efficent than mine and once I write the javascript for it I will be using it on my site.

Thanks again :D

You'll need to analyse the format of the email addresses first, in order to decide how you are going to split them up. You'll also need to analyse what the link text is going to be, as you will need to cater for that in both the script itself, and in the variables list passed to it. Think also about how you cater for null values in the list. You can even get creative and include the text for the title attribute in the list, the name of an image that is clicked to send email, and the alt attribute text for that image. The possibilities are endless, but try to keep it simple. Don't forget that any plain language stuff anywhere with email address parts in it should make it visually difficult to reassemble those chunks into the real email address.

Here's another version of the javascript email encoder I came across:

www.b-link.co.uk/stevedawson/script_hide_email.htm

Again, apologies, I cannot tell if the code it generates is "better" than than the earlier one I tried:

www.hiveware.com/enkoder_form.php

Well, obviously, if I googled enough, I will be able to find lots of them. That stated, I don't even know if I am being overly apprehensive about spam (then again, who can these days?). I just browsed through twenty or so of my colleagues's academic webpages (they are based at different universities). Only one of them used CSS; another appears to be using javascript to display his email address when the link is clicked on; the third displays his email along the lines of "email me at <me at mysite dot edu>".

Hmm, I would have thought my colleagues would be more "techie"!

[edited by: JamesR at 4:37 pm (utc) on June 20, 2003]
[edit reason] delinked [/edit]

I am by no means an expert on this topic, especially judging by the amount of SPAM I receive on a daily basis. One idea I have been toying with is writing my email address on the site as xxx@DELETE-THISxxx.com. If there was some information explaining for those users that don't catch the abnormality, would this work?

I just use a form and have the message sent to me from the server. People get my email when I reply to them. No fuss, no muss.

WBF

>> xxx@DELETE-THISxxx.com <<

Clever harvesting scripts already cut out words like delete, nospam, spam and so on.

You really need to use a system where the legitimate user of your email address does not have to mess about or be inconvenienced in any way, so I actually don't think that method is very good.

You would be better off to either use an email form (taking appropriate measures to block spammers sending millions of emails through it), or else munging the address using character encoding, combined with writing the address out using javascript commands.

g1smd, you seem to be very knowledgeable on this subject and I have learned much from this thread. Thank you for your posts.

You would be better off to either use an email form (taking appropriate measures to block spammers sending millions of emails through it)

What is the best way to take these appropriate measures? Right now I am using a simple php script I made to send the email from the form, but it has no protection for what you have described.

What is the best way to take these appropriate measures? Right now I am using a simple php script I made to send the email from the form, but it has no protection for what you have described.

hi... i'm wondering, too. i have an e-mail cgi script that uses domain restriction, so that only e-mail originating at specified domains (or IP addresses) can be sent throught the forms. Is this what was meant?

This is the Key_Master way:

<script type="text/javascript" language="JavaScript">
if (confirm("Send E-mail to '" + "\x69\x6e\x66\x6f" + "\x40" + "\x62\x61\x6e\x62\x6f\x74\x73\x2e\x63\x6f\x6d" + "'?")) {
location.href="javascript:history.back()"
location.href="\x6d\x61\x69\x6c\x74\x6f\x3a" + "\x69\x6e\x66\x6f" + "\x40" + "\x62\x61\x6e\x62\x6f\x74\x73\x2e\x63\x6f\x6d"
}
else {
location.href="javascript:history.back()"
}
</script>

Simple things you can do:

* Change the default name of the script (you'd be surprised at the number of people who search for "formmail").
* Change the driectory name where the script resides, cgi-bin or mail-script are not good names.
* Protect the directory in some way (will .htaccess do this?).
* Naming the directory in robots.txt is a good way to advertise the directory exists and may have something useful in it, so listing it isn't always a good idea.
* Rewrite the script so that it can only send mail to one hard coded address, or to one domain, or hard code it so that it only works if accessed from your web site, otherwise spammers will use it to send millions of spam emails worldwide per day through your server all with spoofed headers.

There is more, but it rapidly gets outside of what I know. There are numerous articles out there on this topic by well respected experts that add a lot more detail.

Always remember: Google is your friend. Heck, there is even a whole ODP category about it I expect (if not, then why not?)

Also see

[webmasterworld.com...]

:)

I'm using a method I haven't heard anyone mention. I can't remember if I thought this up myself or read about it somewhere. I write out the email address as if I was spelling each word and symbol out and giving instructions to turn all capitalized words into appropriate symbols and remove spaces:

myusername AT mydomain DOT com

This means the surfer will have to type in the email and it is an annoyance but so it getting a lot of spam.

The bumping of this topic reminded me to make an email writing javascript function. Gonna post it so others can learn from it if they'd like (although it is very basic).

In the head of the html file we call the external javascript file with this command

<script src="fun.js" language="javascript" type="text/javascript"></script>

in fun.js we put this code

<!--
function ewrite(a,b,c,d){
var mail;
var link;
mail=a+"@"+b+"."+c;
if(d == 0){
document.write(mail);
} 
else {
link='<a href="mailto:'+mail+'">'+mail+'</a>';
document.write(link);
}
}
// -->

And we call the function by putting this in the body of the html

<script type="text/javascript">ewrite("anyone","somedomain","com");</script>

This one that I made just divides the email into 3 parts as you can see. If you want to divide it even more it is easy to add to the code. It also makes the email address a link. If you do not want it to be a link and just want the email address as plain text, just pass down a 0 (zero) at the end of it like so

<script type="text/javascript">ewrite("anyone","somedomain","com",0);</script>

Got the idea from g1smd; just wanted to show people a simple way to make one.

Thanks, MWPro! Awesome.

Great posts g1smd - many thanks, you've given me some ideas there.

TJ

PS. 73! I take it you're licensed with a name like that....

I don't even know if I am being overly apprehensive about spam

No, you aren't. A recent study conducted with previously unused e-mail addresses showed that putting an address on the web was by far the fastest way to collect tons of spam.

Using forms with the e-mail in the script is a great way to avoid spam, but isn't always the most friendly way to foster communication with your visitors. There was a pretty good discussion of this issue in the context of link development here:
[webmasterworld.com...]

TJ: -.-- . ... :-)

You have the right idea for the script, but you need to slice and dice the address a bit more, and not have the parameter list in name, domain, extension order. The word "mailto" should be cut in two, and the pieces scattered. The script must go in an external file too (for anyone else thinking of rolling their own version).

There are many similar ways to achieve the same thing. If everyone does something slightly different, then harvesters won't be able to look for a particular part of a script and then know what bits to harvest.

I use an HTML encryption program to encrypt just the email addresses. This leaves the rest of the page "spiderable". It works very well for me. If you want a copy of the encryption program (it's free), send me a sticky note and you can have it.

I agree with Willy. A form is a really easy way to go and I've had no spam problem at all from it. I've used a form for the last three or so years.

I use this simple script to hide my email addresses from harvesting robots. Spammers can still get it by visiting my site but that's more rare in my experience.

Put this script into your HTML code where you want your email address to appear.

<SCRIPT LANGUAGE="JavaScript">

<!-- Begin
user = "yourname";
site = "yourdomain.com";

document.write('<a href=\"mailto:' + user + '@' + site + '\">');
document.write(user + '@' + site + '</a>');
// End -->
</SCRIPT>

Good luck.

You need to make that an external javascript file.

You need to slice and dice the email address a bit more.

If I wanted to collect a lot of high quality email addresses I would program my email harvester not to look for:

<a href="mailto:blahblahblah">

in HTML pages, but to instead look for:

user = "yourname";
site = "yourdomain.com";

inside <script> ... </script> tags. That script is used on millions of websites now.